-
Notifications
You must be signed in to change notification settings - Fork 43
Add TCM access control page #3866
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
b241d6a
to
5a904ed
Compare
* - ``cluster.lowlevel.state.read`` | ||
- Read low-level information about cluster configuration (for debug purposes) | ||
|
||
* - ``cluster.lowlevel.state.write`` | ||
- Write low-level information about cluster configuration (for debug purposes) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
move it the bottom please to make it
* - ``admin.lowlevel.state.read`` | ||
- Read low-level information from |tcm| storage (for debug purposes) | ||
|
||
* - ``admin.lowlevel.state.write`` | ||
- Write low-level information to |tcm| storage (for debug purposes) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
move it bottom please
- Toggle development mode | ||
|
||
* - ``user.password.change`` | ||
- Change own password |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's remove. seems that we dont use it in tcm, sorry
set of permissions for each cluster. | ||
|
||
Technically, cluster permissions define pages shown in the **Cluster** section | ||
of the left menu and controls available on these pages. For example, users |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't quite understand to which word controls
refers: permissions, section, menu?
|
||
1. Click **Add**. | ||
2. Fill in the user information: username, full name, and description. | ||
3. Generate or enter a password. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure but to me enter a password
sounds like it should be entered when logging in. I'd think about replacing it with specify
.
and the private key is a password. | ||
|
||
Users receive their first passwords during the account creation. It can be entered | ||
manually or generated automatically. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd remove the second sentence here as it duplicates the info from Managing users
(and added the link for account creation
to Managing users
).
Changing users' passwords | ||
~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
Administrators can manage a user's passwords on this user's **Secrets** page. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a user's passwords
sounds like a user can have multiple passwords
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This subject is confusing me a bit. The case of one TCM user having multiple secrets (username/password pairs) is technically possible. I didn't describe it on purpose: I don't see a valid real-life usage scenario for this.
AFAIU, this functionality is intended for use when TCM receives more than one way to authenticate users. For example, one user will have three secrets: a password, a certificate, and a fingerprint (whatever, just imagining :)). But right now it doesn't look useful on practice.
@filonenko-mikhail, what do you think? should we describe the case of multiple passwords explicitly (therefore encouraging readers to do this)?
- **Block after N login attempts**. | ||
- **User lockout time in seconds**. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these settings related? Don't quite understand the second one
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added the descriptions
- Manage LDAP configurations | ||
|
||
* - ``admin.passwordpolicy.read`` | ||
- View password policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
:widths: 30 70 | ||
:header-rows: 1 | ||
|
||
* - Permission |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
my bad,
user.password.change is actual for access to change own password, please restore it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Restored
Co-authored-by: Andrey Aksenov <[email protected]>
No we should not
Lets describe that password is one
Ср, 22 нояб. 2023 г. в 06:41, Pavel Semyonov ***@***.***>:
… ***@***.**** commented on this pull request.
------------------------------
In doc/reference/tooling/tcm/tcm_access_control.rst
<#3866 (comment)>:
> +Users receive their first passwords during the account creation. It can be entered
+manually or generated automatically.
+
+All passwords are governed by the :ref:`password policy <tcm_access_control_password_policy>`.
+It can be flexibly configured to follow security requirements of your organization.
+
+Changing your password
+~~~~~~~~~~~~~~~~~~~~~~
+
+To change your own password, click your name in the top-right corner and go to
+**Settings** > **Change password**.
+
+Changing users' passwords
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Administrators can manage a user's passwords on this user's **Secrets** page.
This subject is confusing me a bit. The case of one TCM user having
multiple username/password pairs is technically possible. I didn't describe
it on purpose: I don't see a valid real-life usage scenario for this.
AFAIU, this functionality is intended for use when TCM receives more than
one way to authenticate users. For example, one user will have three
secrets: a password, a certificate, and a fingerprint (whatever, just
imagining :)). But right now it doesn't look useful on practice.
@filonenko-mikhail <https://github.com/filonenko-mikhail>, what do you
think? should we describe the case of multiple passwords explicitly
(therefore encouraging readers to do this)?
—
Reply to this email directly, view it on GitHub
<#3866 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAC2O53SJPLNM4XNQ7XXL4DYFVX6BAVCNFSM6AAAAAA7UKYXAGVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTONBTGQ4TQMZYHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Co-authored-by: Andrey Aksenov <[email protected]>
Resolves #3634 Co-authored-by: Andrey Aksenov <[email protected]>
Resolves #3634
Deployment: https://docs.d.tarantool.io/en/doc/gh-3634-tcm-rbac/reference/tooling/tcm/tcm_access_control/
Add new section TCM > Access Control:
TODO (in scope of #3637 ):